Ponemon Institute report shows more encryption across cloud environments, but only a modest increase over the years

InfoWorld|Apr 30, 2014

The Ponemon Institute, working in conjunction with encryption solutions provider Thales e-Security, has produced its third annual report on global trends in cloud encryption. From what they found, about half the organizations out there are moving confidential data to the cloud, and confidence in cloud solutions as being securable is increasing. However the question of who protects the data, and whether it's protected at all, is still up in the air.

Ponemon asked 4,275 business and IT managers in multiple countries (the United States, the United Kingdom, Germany, France, Australia, Japan, Brazil, and Russia) about the ways they used cloud services and encryption, vis-à-vis their handling of sensitive data. This included whether or not companies encrypted data in the cloud at all or whether said data was encrypted before or after being moved into the cloud.

As this was the third year for the survey, Ponemon paid attention to trends since the first edition of the report. It found that trust in the cloud as a repository for sensitive data is increasing, if only because consciousness of what it takes to keep data secure in the cloud is also on the rise.

About half of the organizations are trusting what they describe as sensitive or confidential data to the cloud -- 49 percent in 2011, now up to 53 percent. But companies that have "a stronger security posture" (in Ponemon's characterization) are more likely to move such data to the cloud. Companies in Germany are more likely to do it than companies in Russia, for example.

The perception of who's most responsible for securing cloud-hosted data also varies enormously with the venue. With SaaS environments, for instance, more than half of those polled believed the cloud provider was most responsible for data security. But when dealing with IaaS/PaaS, nearly half of those polled believed data security was a responsibility to be shared between the customer and the cloud provider. This makes sense, given the closed-ended nature of SaaS offerings; a greater share of the security burden deserves to fall on the provider rather than the end-user.

When it came to encryption at rest, the numbers were remarkably consistent-- and consistently low -- between environments. Only 39 percent of SaaS users and 26 percent of IaaS/PaaS users had data at rest encrypted, and only 44 percent (SaaS)/40 percent (IaaS/PaaS) of those users were encrypting data before sending it to the cloud. An unsurprisingly strong correlation existed between a company's overall security posture (if they subject to regulations, for example) and its use of encryption. One possible implication of that finding: If a company doesn't already feel encryption is required now, it's not likely to change its mind about it in the short term.

Respondents' perceptions about who controlled encryption when it was in use was also telling. For both app-level encryption and data at rest in the cloud, 34 percent believed they had control of encryption keys. The next biggest group believed it was a combination of their organization and the cloud provider (28 percent for apps, 29 percent for data at rest). "A third-party service" came in at 17 percent/18 percent, and "the cloud provider" came in at 19 percent/17 percent. Here, the consistency between the numbers for apps and at-rest encryption hints at how the encryption profile across all types of companies is consistent. In other words, the use of encryption may be more closely tied to the type of company than the type of data.

Encryption by default in the cloud is rarely a bad idea, and most of the major cloud providers (Google, certainly) have been making what hay they can out of professing to encrypt everything at rest. But the trick is to provide it in such a way that end-users can confirm encryption is taking place and can't easily be defeated on the cloud provider's side. Even if encryption isn't employed unilaterally by cloud customers and uptake for same remains modest, they'll scarcely be indifferent to the option to become that much more secure -- and to control the parameters for that security.